NAIH (Hungary) - NAIH-85-3/2022
NAIH - NAIH-85-3/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 6(1)(f) GDPR Article 6(4) GDPR Article 12(1) GDPR Article 13 GDPR Article 21 GDPR Article 21(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 25(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 22.09.2021 |
Decided: | 08.02.2022 |
Published: | 24.04.2022 |
Fine: | 250,000,000 HUF |
Parties: | Budapest Bank Zrt. |
National Case Number/Name: | NAIH-85-3/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Cesar Manso-Sayao |
xxx
English Summary
Facts
In September 2021, The Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság - NAIH) initiated an ex officio investigation against Budapest Bank Zrt. (hereinafter the Bank) related to the use of Artificial Intelligence (AI) software applied to the audio recordings of customer service telephone conversations between 25 May 2018 and the start of the investigation. According to the Bank, the software uses speech signal processing based on AI to identify periods of silence, different voices talking at the same time, key words, and emotional elements such as speed, volume and pitch of voice within the recorded sound files in order to identify customer dissatisfaction. Once the software has made an automated decision to identify calls according to these criteria, a highly qualified Bank employee then listens to the recordings, and will make call-backs to customers in order to handle and attempt to resolve any customer dissatisfaction issues within the calls. The Bank stated that its legal basis for this processing was based on legitimate interest, and its purpose was to conduct call quality control, to prevent complaints and customer churn, and to increase efficiency. The Bank stated that customers are informed at the beginning of calls that these are being recorded but admitted that they do not inform them that the software will be used to analyse the calls, since detailed information that is not too general could be either be misleading, or would make the introduction to the calls too long, outlasting many of the simple queries made in many calls. The Bank also claimed that the system does not store any identifiable personal data, or perform automated decision-making in order to create personal profiles.
Additionally, in a Data Protection Impact Assessment carried out by the Bank, the Data Protection Officer stated that: “The purpose of the processing is lawful on the basis of the rights of the data subjects and the business interests of the Bank, there is no direct or indirect legal prohibition. The processing is high-risk for several reasons, in particular the novelty of the technology used, as the audio recordings are analysed and findings are made automatically by artificial intelligence. The aggregate data is suitable for profiling or scoring for both sets of data subjects [customers and employees], and although no automated decision making is involved, the data processing may have legal effects on the data subjects. The high risk is mitigated by the controller through measures identified in the impact assessment, such as human decision- making at the end of automated processing. The exercise of data subjects' rights is ensured in accordance with standard practice.”
Holding
Personal Data The NAIH established that the software processed personal data since the data subject was indeed identifiable within this processing because the customer service calls are assigned a unique internal identification number that can be linked to the caller and the customer service employee. According to the NAIH, this was analogous to Court of Justice of the European Union case law C-582/14, which established that dynamic IP addresses are also personal data. According to the NAIH, the use of AI to identify emotional states should be considered processing of a sensitive nature, and could fall under the special category of personal data within the meaning of Article 9(1) GDPR in certain cases. However, the NAIH held that in this specific case Article 9(1) GDPR did not apply to the processing, because the voice analysis did not produce data that in itself could uniquely identify a data subject and therefore could not be considered biometric data, and also due to the fact that no meaningful inference as to the physical or mental state of health of the data subject could be drawn from the result of the processing. Automated decision-making and profiling The NAIH held that automated decision-making was carried out in this case, since it is not a prerequisite that the software makes the decision itself, and that it is sufficient if the processing is intended to produce an outcome that influences the decision-makers. The NAIH also established that profiling also took place according to the definition in Article 4(4) GDPR, since the prioritisation of dissatisfied customers based on key words and emotions implies the evaluation of personal aspects cited in the provision. Based on these assessments, and the fact that this is a novel technology, the NAIH noted that the processing created increased risks to fundamental rights, which also imply increased responsibilities on the controller. Therefore, the Bank should have been obliged to assess, before starting the automated voice analysis using AI, whether the processing was feasible under the current technical and social circumstances, and taken into consideration appropriate technical and organisational measures to comply with data protection rules and the principle of data protection by design. Based on these considerations, the NAIH held that the Bank’s failure to carry out these obligations constituted a violation of Article 24(1) GDPR, Article 25(1) GDPR and Article 25(2) GDPR.
Lack of proper information and right to object The NAIH noted that no information was given to the data subjects regarding the voice analysis about the specific types of data, how and in what way their emotional reactions were processed and assessed, which constituted a breach of Article 12(1) GDPR and Article 13 GDPR, as well as Article 5(1) GDPR and Article 5(2) GDPR. Furthermore, according to its previous assessments regarding automated decision-making and profiling, the NAIH held that absence of information related to the right to object lead to a breach of Article 21 GDPR. Additionally, the NAIH also considered that processing for customer retention purposes constitutes a marketing purpose similar to customer acquisition, and that therefore the Bank had also violated data subjects’ right to object under Article 21(2) GDPR. Balancing of interests and lawfulness of processing The NAIH held that the Bank had provided no concrete evidence that it had carried out an adequate balance of interests between its claimed legitimate interest to carry out the processing, and the rights of the data subjects involved. The NAIH noted that according to the technical documentation provided by the Bank, the effectiveness of the emotion analysis software is actually relatively low, that the Bank had failed to prove that, in its current form, its use was suitable to achieve its proposed objectives in a way that was proportionate to the affectation of data subjects’ rights. The NAIH also noted that the Bank had not demonstrated that any alternatives to this processing were considered. The NAIH also cited the European Data Protection Board and European Data Protection Supervisor’s Joint Opinion 5/2021 on the Artificial Intelligence Act, which state that “the use of AI to infer emotions of a natural person is highly undesirable and should be prohibited, except for certain well-specified use-cases, namely for health or research purposes.” Based on these criteria, the NAIH stated that the Bank’s stated efficiency purposes were not proportionate or an adequate justification for the removal of fundamental rights of data subjects and for the use of a form of data processing that data protection authorities have consider undesirable and high risk.
The NAIH also noted that not only the voices of customers were analysed, but also the voices of its employees. The NAIH stated that monitoring performance and quality assurance may give rise to certain legitimate interests in certain circumstances according to labour law, and that the question of suitability and proportionality was also relevant in this case, especially because employees are in a dependent relationship and are therefore more vulnerable than a third party. The NAIH established that this was not taken into account either due to the Bank’s lack of balancing of interests, and that an adequate system of guarantees was not provided for employees. Based on this lack of balancing of interests, the NAIH held that the bank could not claim legitimate interest as a valid legal basis under Article 6(1)(f) GDPR, or any other legal basis listed in Article 6(1) GDPR, for the processing in question. It therefore held that the Bank had violated Article 5(1)(a) GDPR, Article 6(1) GDPR and Article 6(4) GDPR. Fine and order to comply with GDPR Based on these considerations, the NAIH imposed a fine of HUF 250,000,000 (approximately €700,000) on the Bank, and ordered the Bank to cease its use of AI to analyse emotions in the recordings of customer service calls unless it proved within 60 days that an appropriate scope of data was defined, a valid impact assessment is carried out, and a valid legal basis was provided that ensured that data subjects’ rights are protected to the maximum extent possible. With regard to the Bank's employees, the NAIH held that processing should be limited to what is necessary for the purposes for which it is intended and they should be provided with appropriate information, indicating the assessment criteria and consequences, including a specific balancing of interests that addresses their vulnerability due to the nature of their work relationship, with appropriate internal safeguards.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-85-3 / 2022 Subject: Decision Earlier case number: NAIH-7350/2021 DECISION The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) a Against Budapest Bank Zrt. (Registered office: 103 Budapest, Váci út 193; hereinafter: Customer, or in some quoted texts: Bank) by the Customer's telephone customer service 25 May 2018 relating to the recording of telephone conversations and the present proceedings between the date of commencement of the data management practice performed by the Customer in 2021. initiated ex officio data protection authority proceedings on 22 September. The Authority on Data Protection take the following decisions in official proceedings: I. The Authority shall determine ex officio that the Client is involved in the sound recording analysis under review data management practices violated the processing of personal data of natural persons the free movement of such data and Directive 95/46 / EC Regulation (EU) 2016/679 repealing Regulation (EU) No Article 5 (1) (a) and (b), Article 6 (1), Article 6 (4) Article 12 (1), Article 13, Article 21 (1) and (2), Article 24 (1), Article 25 Article 1 (1) and (2). II. The Authority shall act ex officio in accordance with Article 58 (2) (d) of the General Data Protection Regulation instructs Customer to modify its data management practices to comply with general data protection regulation, ie do not analyze emotions during sound analysis, and ensure adequate protection of data subjects' rights in relation to data processing, in particular, but not only the right to adequate information and protest. In relation to Customer's employees, the data processing must be limited to what is necessary to achieve the purposes for which they are intended; and they should be provided with appropriate information on the evaluation criteria and implications by marking. Separate data management related to employees for different purposes the balance of interests should address the vulnerable situation resulting from this dependency; and appropriate internal guarantees in this regard. III. The Authority shall appoint the Client ex officio HUF 250,000,000, ie HUF two hundred and fifty million data protection fine obliges to pay. The II. the fulfillment of the obligation provided for in point 1 from the date on which the Client becomes final must be submitted in writing within 60 days of the to the Authority. Data management is real only if the appropriate data set is defined impact assessment, a valid legal basis and proof of the maximum guarantee of the rights of the data subject may be continued, otherwise the Customer must certify the termination of the data processing under review to the Authority within the above time limit. A III. within 30 days of the final adoption of this Decision Authority's centralized revenue collection special purpose forint account (10032000-01040425- 00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid for. When transferring the amount, "NAIH-85/2022 JUDGMENT." reference should be made to If the Customer fails to meet the obligation to pay the fine on time, a late payment surcharge is obliged to pay. The amount of the late payment allowance is the statutory interest affected by the delay equal to the central bank base rate valid on the first day of the calendar half-year. Non-payment of the fine and the late payment allowance, as well as the II. no obligation under point the Authority shall order the enforcement of the decision. There is no administrative remedy against this decision, but from the date of notification within 30 days of the application to the Metropolitan Court in an administrative lawsuit can be challenged. The application must be submitted to the Authority, electronically, which is the case forward it to the court together with his documents. A hearing may be requested in the application. The entire for those who do not receive personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, a is subject to the right to record material taxes. Legal representation in proceedings before the Metropolitan Court obligatory. Act CXII of 2011 on the right to information self-determination and freedom of information. Act (a hereinafter: Infotv.) pursuant to Section 61 (2) (a), the Authority shall publish this decision on the Authority's website. EXPLANATORY STATEMENT I. Procedure I.1. The History Case 1. In the preliminary examination procedure NAIH-5161/2021 (hereinafter referred to as Customer) as a legal entity engaged in the activity of a financial institution data management to record the recorded audio of customer service calls automatically analyze and provide adequate information to stakeholders. The Customer is the analysis using the result, determine which dissatisfied customer needs to be recalled, in this regard, it automatically analyzes, among other things, both the caller concerned and the caller the emotional state of the customer service employee and other characteristics of the conversation. The History In the case, the complainant can find a sentence on the Client's website referring to the sound analysis asked questions in this regard but was not satisfied replies to the Authority. (2) At the request of the Authority, the Client received the number NAIH-5161-5 / 2021 on 5 July 2021. In its reply, filed under In the present proceedings, the Authority also classified Annex III to the explanatory memorandum. at point: (i) The sound analysis application (hereinafter: Software) was introduced by the Customer on 26.05.2017. THE The aim of the development was to make the work of the nearly 180 telephone staff more productive, by improving the call selection process of about 20 call-backers. THE retrievals are made by random selection while using the system, but calls are ranked by the Software based on the characteristics established by the Software. These characteristics are not known to the Customer, it is handled privately by the software. Detailed call evaluation results, the evaluated aspects are not known. (ii) The purpose of the Software is to make quality control more professional for Customer's employees individual development (professional and communication), improving the efficiency of processes and increase customer experience. The system does not store any uniquely identifiable data, or customer information. The data are analyzed together. Areas of application of the program does not include increasing sales results. (iii) One of the main areas of use is call quality control (interception): to be assessed calls are sorted by the analysis team for listeners. Sorting criteria includes data from the Software (eg, dissatisfaction, frustration, etc.) these are parameters that can be changed on a monthly basis in order to be the most effective quality assurance, ie they can reveal the shortcomings and possible directions of development. (iv) The second main area of use is to prevent complaints and customer migration: monthly in advance a specified number of customers are called proactively in order to file a complaint prevent or deter potential customer migration. Enter keywords into the system based search criteria have been set up to help you find the affected customers. This report can be run on a daily basis and the eavesdropper will randomly, choose freely from potential calls. (v) The third main area of use is to increase efficiency: team leaders on a daily basis examine for their team which calls were higher than average and why idle (silence / music) ratio. This is done in exceptional cases for the individual development of staff, respectively used to improve process efficiency. (vi) The mandatory element of the concept of personal data is missing, the data is definitely natural being personal. The Software analyzes the conversation and therefore without eavesdropping (which and a new data management process) none of the characteristics of the conversation can be identified. (vii) Aggregate data on the regulated business process conducted on the basis of the script they only allow a conclusion to be drawn from the discussions. Breaks, idling length, even for a given administrator, is not an indicator of individual aptitude, but indicates that special support is required for your work. For example, if you have a cumbersome IT system waiting time for access causes longer silence. (viii) The Software is similar to, for example, traffic counters, traffic lights which also determine the number of persons involved in the traffic (otherwise identifiable) of natural persons crossing the crossing, however, their operation is not considered as personal data processing in practice. (ix) The purpose of data processing is to deal with complaints and faulty banking procedures not complained of in the complaint. reduce the number of efficient, courteous customer service to ensure control procedures by supporting its effectiveness, as detailed above. Legal basis for data management the legitimate interest of the Customer detailed in the description of the data management purposes is effective and lawful telephone administration. The duration of data management may be retrieved within the Software 45 days for audio recordings, statistics generated by the operation of the Software 1 year for organized call lists. (x) Identifying natural person profiling is not performed by the Software sorts the call according to the above, and compiles the call traffic summary and statistics broken down by processing workers. Automated data management operation for calls by ordering. The result of the automated operation is a callback an increase in the chance of being included in the list by random human selection or can be minimized. (xi) […] voice recorder operation: […] Records all audio by default. An automatism runs down every night on the voice recorder server, which destroys calls in less than 5 seconds. Default, 4 all calls are deleted after 180 days, except for calls with a business label in the […] interface on the business tag settings tab for that campaign have the Long Term Preservation mark. […] Has a dedicated server for voice analytics, which makes it intraday call recordings are duplicated. An automatism at night for the soundtracks of […] removes it from the hit list. Nevertheless, it remains in the internal system of the Software calls can be listened to until the 45th day after recording. There will be no calls after this can be listened to within the Software. (xii) Within the Software, the […] ([…]) option allows […] and to listen to and analyze calls from voice recording systems […] - […]. Also it is possible to monitor and categorize calls made and received […] and […] differently based on quality criteria, which results in customer - specific promotions and we can provide feedback on quality customer service, collection and sales to increase efficiency. Each functional management member shall cover the entire area by area ([…]), by group, by administrator, they can receive unmeasured data a in terms of quality. (xiii) […], using speech intelligence processing based on artificial intelligence, recognizes: • waiting / silence / talking to each other in the sound files, • recognizing and finding keywords in audio files • detects emotional / mood elements in sound files. (xiv) The measurement of wait / silence allows the area manager to identify the launch a reduction factor and action at both the individual and regional level (eg individual development, field training, process development, etc.). (xv) Keyword recognition (based on a dictionary we have developed) allows complaining customers filtering and churn prevention, detection of prohibited / stuffed words. (xvi) Detection of emotional / mood elements in calls shows the real customer experience or customer irritation. (xvii) The Software will store audio material in encrypted form on its own storage for 45 days, this then destroy them. Previous audio analyzes have continued can be retrieved, but the call cannot be inferred from these. (xvii) Automated decision making in individual cases, including a personal profile no decision is made during the processing of data with the Software. Therefore, the GDPR. The conditions of Article 22 (2) shall not apply. (xix) The information of the data subject is provided to the Customer by Chapter 3 of the Business Rules and by Telephone customer service and complaint handling through detailed data management information provided by attached to his reply. (xx) The Software has been operating without complaint since its introduction. (3) At the request of the Authority, the Client received the number NAIH-5161-5 / 2021 on 5 July 2021. The following substantive evidence was provided in the annexes to its reply registered under In cases which the Authority also classified in the present proceedings, Annex III to the explanatory memorandum at point: (i) Internal Note on Customer Complaints […] (literal quotations), 5 “Our customer didn’t get information about artificial intelligence before making a phone call using and using sound analysis software to analyze the conversation and wonder what the purpose of this would be and what the purposes of data management would be. Your question has not been answered by customer service. I ask for this artificial intelligence receive software privacy information and privacy policies. Where can it be found? How much does this correspond to the GDPR? ” “I am sorry that our staff member was not aware of the relevant data management information: [ref intranet address] Attach this to the answer. It should be emphasized that? Telephone customer service quality assurance, performs profiling based on a legitimate interest and through automatic decision-making for the prevention of a complaint selects calls in which a higher-skilled bank employee diverts them by recall the problem, complaint that arose during the telephone conversation.? The referenced document is available at https://www.budapestbank.hu/hirdetmenyek/adatkezelesi- information. Perhaps it is worth mentioning when it comes to general data management information (Chapter 3 of the Business Rules) and the detailed data management information cited our clerk would read it at the beginning of the call, this would prolong the complaint by at least 10-15 minutes, the time of submission of the customer request. This would not be accepted by our customers. That is why the Bank decided written information. " (ii) Internal Note on Customer Complaint […] (literal citations, identical reply to another letter from the person concerned) “[…] The software analyzes the sound recording […] in terms of the developer's trade secret. Among them, the developer of speech speed, volume, pitch, speech pauses described the length as an example. The analysis does not result in a profile but in the recordings the system ranks it daily. The basis of the order is that it can be deducted from the examined aspects concluded that the caller, although not making a formal complaint, was dissatisfied with the administration. Calls at the top of the rankings with higher qualifications and authority will call you back in an attempt to remedy the cause of dissatisfaction. THE As a result of the closed operation of the system, the Bank does not know or handle the order of calls outside data. Thus, it does not transmit or store data, nor can it provide further information about it. In the absence of security breaches, the operation of the system is not considered data protection incident. It is in the common interest of telephone callers and the Bank to investigate and resolve latent complaints. This basis for the operation of the system. Prior information management information in its current form complies with the requirements of Article 12 (1) of the GDPR, which also ensures the conciseness and transparency of information. requirements. Adequacy refers to the information provided to our customers and not customers our stakeholders have not objected for more than 3 years. ” (iii) Identifier: H-407/2018 (Telephone customer service and complaint handling detailed data management information content) a) Telephone customer service for outgoing and incoming calls (in tabular form) data processed: name, notification, permanent address, postal address, telephone number (mobile, landline), e-mail address, mother's name, place and time of birth, ID document number (personal number; passport number, license number), if applicable income data, companion card holder, debtor, co-claimant, guarantor, debtor, proxy personal details (name, date of birth, mother 's name, ID number) etc.), account number, credit card number, credit censorship / reference number, etc., insurance, loans, savings, etc., for payment account, bank cards, credit card data on related transactions purpose: to handle telephone calls made by the customer (s), Duration: "See Section 3.1.8 of the Business Rules" legal basis: conclusion of a contract for incoming calls, "access" for outgoing calls (typed) data processors: n / a b) Telephone customer service for outgoing and incoming calls (in tabular form) data managed: name, notification address, telephone number, customer IDs (account number, card number etc.), channel of receipt, date of notification, reference number of the complaint, type of notification, whether it is a recurring complaint, category of complaint, if applicable, the amount complained of, notification severity, identifiers of previous complaints, detailed description of the complaint, letter of complaint, other attachments, detailed resolution of complaint, amount credited if applicable, complaint reply letter purpose: to handle a complaint submitted by a customer Duration: "See Section 3.1.8 of the Business Rules" legal basis: conclusion of a contract data processors: Where appropriate, the partners required for the investigation (insurance, credit intermediary, etc.) (c) other information at the end of the prospectus For the data management of the specific product affected by the call or complaint, see the specific product at your profile. Telephone customer service is in the legitimate interest of quality assurance and complaint prevention performs profile-based profiling and automatically selects calls in which a higher - skilled bank employee removes the a problem or complaint that arose during a telephone conversation. The Customer may provide information about the sound recording if the sound recordings One of the following data is available to identify: • the telephone number of the calling bank providing the caller ID service, as recorded in the absence of; • the telephone number provided by the data subject providing the caller ID service; • the start time of the call communicated by the data subject with an accuracy of at least 60 minutes determining time data. (iv) Identifier: H-526/2020 (Business Rules, effective from 10.01.2021, page 41, citation) "3.1.8. Unless otherwise provided by law, the general data processing period is 10 years from the termination of the customer relationship. This data processing period is adjusted to for the limitation period for general civil claims, also in view of the interruption of the limitation period. If that the purpose of data processing is to resolve a possible complaint, unless otherwise provided by law duration of data management is 1 year. These include, in particular, canceled or rejected services demand data. For marketing purposes - until your consent is withdrawn - with such a transaction The Bank may also contact the person concerned. Retention period of images for security purposes sixty days. The legal retention period for sound recordings for complaint handling is 5 years. The transaction the general data retention period shall apply to the recording of the order. The Bank is after the end of the data processing period, block the Data if the legal conditions for blocking and the technical conditions allow this. The duration of data management may be shortened by the Bank, excludes its liability in this regard. ", 7 (v) Identifier: ‘balancing test voicemining.xlsx’ (actually a privacy impact assessment data sheet) brief description of data management: “Software and mass sound analysis, predefined search and analysis of content and keywords, description. The conversation detection of emotions in the sound system (negative, positive). " a brief summary of the necessity and proportionality study: “Data management a necessary to rank conversations according to their relevance. THE ranking has no direct effect on the participants in the conversation. The ranking interception based on the resulting customer (calling party) recall new stand-alone data management. " Opinion of the Data Protection Officer and decision on data processing Summary: “The purpose of data management is the rights of the data subjects and the business interests of the Bank there is no direct or indirect legal prohibition. Data management for several reasons high risk, in particular due to the novelty of the technology used, for audio recordings are made automatically using artificial intelligence analysis and findings are also generated automatically. The totality of the data is both suitable for profiling and scoring for the stakeholder group, and automated decision making does not happen in the process, data management for stakeholders may have legal effect. The high risk was identified by the data controller in the impact assessment measures, such as human at the end of automated data processing decision-making takes place. The exercise of the rights of the parties concerned is ensured in accordance with standard practice. The exercise of the right does not adversely affect those concerned. In the process there is no data processor. " (vi) Identifier: "privacy record extract.xlsx" (only relevant parts highlighted) name: storage of sound material goal: Through recorded conversations, the customer’s voice is recorded. You are later complaints in the event of a dispute, this may be intercepted. Legal basis: Law, legitimate interest, balance of interests processing: no duration: 10 years from the end of the contract (4) At the request of the Authority, the Client received on 16 August 2021, NAIH-5161-10 / 2021 In its reply, registered under number which the Authority has also classified in the present proceedings in Annex III to the explanatory memorandum. at point: (i) “On this basis, it can be concluded that the main purpose of using the application is call time promotion of abbreviations. The Bank's telephone customer service capacity is limited. Therefore, the call time shortening to ensure that significant customer irritation is reduced, cease. This is the purpose of breaks in conversations, listening to waiting music the Bank achieves by examining. In these cases, the calls from my co-workers are statistical processed by other methods and only listened back if necessary. Their purpose is to have a conversation find bugs in control scripts that wait, play music, or talk to each other (clutter of the clerk and the interlocutor). In this case, the or those who are automatically scheduled to be retrieved from your conversations are listened to in full, but in part on the basis of the aspects examined. So the eavesdropping worker does not hear the customer identification part. The application supports the same aspects per employee. This is in a performance - based pay system, 8 helps the employee to improve the efficiency of an individual call, the time required for their calls reduce it. " (ii) “The result of the screening may be overridden at any time by the wiretapping officer. The software it only gives the listener a “menu” to choose from, but the decision is always a competence of the colleague in the process. " (iii) Employee contributions not used in operational work are listed in Appendix Customer has repealed and attached the enforced regulations ([…] - A recording, retrieving and handling telephone conversations at banking group level), and also updated organizational changes while streamlining the annexes. (iv) The Software is not a call recording system. This task is performed by the […] and […] systems. These are used to transfer calls to the Software system. The data content of the Software is the call caller ID in the recording system, the calling / called telephone number, the direction and time of the call, length, name of the clerk, organizational unit, date of the analysis, quantified (%) results, alphanumeric description of the recognized language elements. (v) Customer retention or pre-complaint calls: • The listener launches a filter based on the rules and keywords set in the system for the period of his choice. • The Software lists the results, that is, the calls that match the filtering conditions. • The staff member randomly selects from the suggested calls and listens (typically the call segment indicated by the Software). If this is confirmed by the Software, it is complete it is advisable to listen to the call. • After listening back, you decide if it is possible in the given case customer retention or complaint prevention. • If so, it retrieves the customer's data from the banking systems. (vi) Detected emotions can also be displayed at the call level. These can be aggregated into groups and area level and sort by emotion strength. (vii) No information will be given at the beginning of the calls as to whether to use the Software or whether data processing for voice analytical purposes. In the case of an incoming call ([…]), […] tell the voice recording. In the event of an outgoing call ([…] and […]), the staff member will inform you of the recording. If the customer complains about the use of the software, the clerks shall be informed of the possibility of recording the notification. If necessary, the complaint will be picked up, which will be investigated by the Complaints Office - if necessary by the Data Protection Officer involving. We would like to note that verbal information at the beginning of telephone calls its practical possibilities are severely limited. A few words of information necessarily misleadingly, forcing the data subject to an unjustifiably disadvantaged communication situation. Detailed, and thorough information does not allow for live audio as required by law compliance with contact requirements. A significant portion of phone calls are customer interest. A customer for the opening hours of an account or the current balance of an account Detailed information provided prior to responding to a request would necessarily violate Article 12 of the GDPR. the requirement of conciseness of information under Article 1 (1) because it is temporal its scope would far exceed the substantive administration, the actual data management. (viii) The possibility of protesting without breaking the line is precluded by technical circumstances. If human intervention could influence the analysis of a failed call, subtraction, would significantly skew the efficiency of the analysis, as it is the anomalies protest and agent intervention are expected in the case of a call containing (ix) The information is provided by the Client on the website https://www.budapestbank.hu/panaszkezeles. (x) Upon termination of the primary purpose of data management, the Customer shall delete from the production systems data, but the referenced 42/2015. (III. 12.) Government Decree § 3 (3) e) and (4) the Customer makes it an obligation to create and manage archives, data backups and backups. The order of their access corresponds to the concept of blocking according to the GDPR, therefore they are described in this way provided information to the Customer. The management rules of archive media are in the records management regulations is located. (xi) In addition to the questions, it is worth highlighting from the experience of personal control that a emotional indications of sound analysis for sound property and terms used are set up and therefore give false results about calls without human control. On the other hand there are people with a voice - our employee had one too - whose voice it always reflected dissatisfaction. These are also given, while the pause-to-speech ratio is intertwined speech and the speech / music ratio are relatively objective characteristics of conversation, until then emotional tone, so the dissatisfaction and frustration experienced are less reliable characteristics. This is taken into account by my colleagues when using the system. (xii) The caller will only be identified if it is necessary to compensate him due to a bank failure, or the Customer seeks to resolve your latent complaint in a reassuring manner. (5) At the request of the Authority, the Client received on 16 August 2021, NAIH-5161-10 / 2021 In the annexes to its reply, registered as No Background In cases which were also classified by the Authority in the present proceedings, Annex III to the explanatory memorandum at point: (i) Identifier: […] (Recording, listening to and handling telephone conversations banking group level instruction) „5. Detailed procedure […] To retrieve recorded conversations for voice analysis: In the Software System, using the voice analysis software, […] ([…], […]) and Calls to the […] and […] voice recording systems are available for complaint handling to listen back and analyze them. Furthermore, it is possible to recover and […] started and monitoring and categorizing incoming calls based on various quality criteria, which results can be used to formulate customer-specific actions and feedback to improve quality customer service, collection and sales efficiency. The individual functional management members for their entire area, by area ([…]), by group, they may receive unmeasured quality data per clerk. […], Using speech intelligence processing based on artificial intelligence, recognizes: • waiting / silence / talking to each other in the sound files, • recognizing and finding keywords in audio files • detects emotional / mood elements in sound files. Measuring the wait / silence allows the area manager to identify the launch a reduction factor and action at both the individual and regional level (eg individual development, field training, process development, etc.)., 10 Keyword recognition (based on a dictionary we developed) allows complaining customers filtering and churn prevention, detection of prohibited / stuffed words. Detection of emotional / mood elements in calls shows the true customer experience or customer irritation. The Software will store the audio in encrypted form on its own storage for 45 days, thereafter destroys them. Previous audio analyzes have continued they can be retrieved, but the call cannot be deduced from them. " (ii) Identifier: "interest balancing test voicemining_doc.docx" "2.1. The purpose of data processing is defined, express and legitimate, in accordance with the general Article 5 (1) (b) of the Data Protection Regulation: in the case of telephone administration a reduction of call time, more efficient filtering of latent customer complaints by call characteristics by increasing the efficiency of call interception. 2.2. Demonstration of a legitimate interest: Article 6 (1) (f) of the General Data Protection Regulation According to the data management of the Bank is efficient, the exercise of the rights of the parties concerned by telephone legitimate interests as defined in the required. 3.1. The need for data management is described in 2.1. in accordance with the purpose of point control by the controller, optimization of data management processes GDPR Article 5 (1) (a) fair procedure in accordance with point (d) and accuracy in point (d) of the same paragraph necessary to ensure faulty administration not otherwise detected remedy. 3.2. Proportionality of data management is set out in Section 2.1. in accordance with the objective set out in interests, rights and freedoms: data management using the Software operations are carried out by the Bank in accordance with Article 11 of the GDPR, without identifying a specific data subject. THE Randomly selected conversation from a list generated using software In this case, too, the data subject will only be identified if recall becomes necessary. The data subject shall not be adversely affected by the data processing. Beneficial effect (complaint remedy) is a possible legal consequence. Proportionality is ensured by the Bank by personalizing the data generated in the system there is only a low statistical chance. The person concerned does not have to count on the fact that will have the legal effect of using the system, there is little chance of this, given the also for data management purposes. 3.3. Alternatives available to replace data management: a the controller does not have an alternative tool, procedure or solution that: using the 2.1. the objective set out in point 1 may be achieved. 3.4. In case of non-processing of data, the (estimated) disadvantages and damages of the data controller: decreased efficiency of conversations, efficiency of detection of latent complaints decrease. The consequent increase in call dropout is limited exercise their administrative rights, including the protection of their personal data. THE decrease in the efficiency of detection of latent complaints with the accuracy of data management reduce, where appropriate, pecuniary or legal disadvantage to the data subject. […] 4.2. The positive and negative effects of data processing on the data subject: a data management does not in itself have an adverse effect on the data subject with regard to., 11 4.3. In addition to the mandatory information on data management, the Data Subject may be informed at any time may request about the data managed by the Bank, the purpose, legal basis and duration of the data processing. (right to information, Article 12 GDPR) […] 4.9. The Data Subject has the right at any time for reasons related to his or her own situation object to the processing of your personal data, including those based on the GDPR provision profiling as well. In this case, the controller may no longer process the personal data, unless the controller demonstrates that the processing is for compelling legitimate reasons justified by the interests, rights and freedoms of the Data Subject or to bring, assert or defend legal claims are related. […] 6.1. Existence of Legitimate Interest: Bank has an undisputed legitimate interest in the Software System improve your telephone administration and find out about latent complaints. 6.2. Necessity of data management: in order to achieve the purpose of data management is personal data management is essential. 6.3. Proportionality assessment: the data subject's right to self-determination is certain necessary and proportionate to the purpose and duration of the processing may be limited in accordance with On the basis of the balancing test, it can be concluded that the processing does not constitute an unnecessary and disproportionate restriction on the data subject 's rights; and freedom. The data subject may object to the data processing or may exercise it at any time General Data Protection Decree 12-22. guaranteed by Article (6) In view of the above, the Authority Pursuant to Section 55 (1) (a) (b), 2021. closed the History Case on September 23, and filed this Privacy Policy ex officio telephone conversations conducted by the Customer's telephone customer service between 25 May 2018 and the date on which the present proceedings were initiated Subject to customer data management practices. I.2. The present data protection authority procedure (7) The subject of the present data protection authority proceedings is the receipt by the Customer of the incoming telephone customer service. and by automatically analyzing the recorded voice recordings of your outgoing calls by listening back to some of the audio recordings and then playing back the recorded recordings was the examination of data processing related to the recall of some of the data subjects. The Authority is above third parties who call the customer service in connection with the activity are involved, and the employee working in the Customer's telephone customer service is personal also examined the handling of his data. (8) The Authority shall comply with the provisions of Act CL of 2016 on General Administrative Procedure. Act (hereinafter: On 23 September 2021, he invited the Client to submit comments and may make a statement in connection with the present proceedings and ex officio in the present proceedings to be taken into account in connection with the History Case and by your telephone customer service asked questions clarifying the circumstances of customer identification and recording. (9) At the request of the Authority, the Client electronically signed on 29 October 2021 In its reply, registered as NAIH-7350-2 / 2021, the Commission made the following statements: (i) If the disclosure of information related to the data subject (bank secrecy) during the conversation should it happen, the Customer will always identify the data subject by requesting a unique land code or banking requesting information that is only known to the data subject. For an outgoing call, 12 the person concerned is called on the telephone number registered with the Customer and, in addition, as described above identified. (ii) In the case of an outgoing call, the content of the verbal information: “Good day, I am XY, from the Bank I'm calling, I'm looking for ZW. I would like to inform you that our conversation is for quality assurance purposes we record. " (iii) The Client maintains its statements in the History Case with the clarification that a Software allows you to view the ranked call individually with a click as well as listening back. In doing so, the ranking parameter on the speech chart appear. This is necessary to ensure human control, because it is purely machine evaluation may lead to erroneous conclusions. (For example, silence is caused by a line error or the tone of the machine analysis erroneously evaluates it as dissatisfied. (iv) Customer’s data management practices have not changed materially since May 25, 2018, and the Authority nor did its examination reveal any circumstance that would justify a substantial change in the process. THE information practice is under review. It is expected to be more detailed at several points the Customer shall prepare information as a result of the investigation. (v) The called party may indicate that he does not consent to the recording by breaking the line. If you do not do this, you will be given an explicit behavior by starting the conversation contribution. (vi) The technical system records from the beginning of the call, in which the participating parties have no influence opportunity. (vii) The voice of the Customer's employees is also monitored. Queuing considerations can be set to monitor employee voice properties. With this, the employee development, if necessary, without labor disadvantage. (viii) The Software does not contain artificial intelligence and does not make automated decisions. The results of its analysis can only be utilized with human intervention and interpretation. (ix) Telephone customer service is not limited to customers. The monthly average number of calls is 2021- in 81 500 / month. Annually, 1-1.5 million calls were involved in voice analysis. (x) The Client, as a financial institution, performs extremely complex and large-scale data management. For this compared to the number of data protection complaints is extremely low, no data protection fines so far received by the Customer. (xi) The Client's net sales in 2020 were HUF 81,002,000,000. II. Applicable legal provisions (10) Pursuant to Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulation Regulation shall apply to the processing of personal data in a partially or fully automated manner processing of personal data in a non-automated manner which are part of a registration system or which are part of a intended to be part of a registration system. (11) The Infotv. Section 2 (2) the general data protection regulation in the provisions indicated therein shall apply with the additions specified (12) Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and may initiate ex officio data protection proceedings. (13) Infotv. Pursuant to Section 71 (2), the Authority has lawfully acquired it in the course of its proceedings use a document, data or other means of proof in another procedure. (14) Unless otherwise provided in the General Data Protection Regulation, the request was initiated for data protection authority proceedings under Ákr. provisions of the Infotv shall apply with differences. (15) Under Article 4 (1) of the General Data Protection Regulation, "personal data" means identified or any information relating to an identifiable natural person ("data subject"). The a can be identified a natural person who, directly or indirectly, in particular by an identifier, e.g. name, number, location data, online identifier or physical, physiological, genetic, intellectual, economic, cultural or social identity identifiable by a factor. (16) According to Article 4 (4) of the General Data Protection Regulation, "profiling" means personal data any form of automated processing of personal data to assess certain personal characteristics of a natural person, in particular: job performance, economic situation, health status, personal preferences, interest, reliability, behavior, location, or used to analyze or predict motion-related characteristics. (17) According to Article 4 (14) of the General Data Protection Regulation, "biometric data" is a natural data any specific technical information relating to the physical, physiological or behavioral characteristics of a person personal data obtained through procedures that allow or confirm the natural person unique identification, such as a facial image or dactyloscopic data. (18) According to Article 4 (15) of the General Data Protection Regulation, "health data" means a personal data concerning the physical or mental health of a natural person, including data on healthcare provided to a natural person which carries information on the state of health of the natural person. (19) According to Article 5 (1) (a) of the General Data Protection Regulation, personal data must be handled lawfully and fairly and in a manner that is transparent to the data subject ("Legality, due process and transparency"). (20) According to Article 5 (1) (b) of the General Data Protection Regulation, personal data collected only for specified, explicit and legitimate purposes and not treated with them in a way incompatible with the objectives ("purpose-based"). (21) Pursuant to Article 6 (1) of the General Data Protection Regulation, the processing of personal data lawful only if and to the extent that at least one of the following is met: (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes treatment; (b) processing is necessary for the performance of a contract to which one of the parties is a party; or to take action at the request of the data subject prior to the conclusion of the contract required; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is in the vital interests of the data subject or of another natural person necessary for its protection; (e) the processing is in the public interest or a public authority vested in the controller necessary for the performance of the task (f) processing for the legitimate interests of the controller or of a third party necessary, unless the interests of the data subject take precedence over those interests or fundamental rights and freedoms which call for the protection of personal data, especially if the child concerned. Point (f) of the first subparagraph shall not apply to the performance of their duties by public authorities data management. (22) According to Article 6 (4) of the General Data Protection Regulation, if different from the purpose for which the data were collected processing for that purpose is not with the consent of the data subject or of an EU or Member State is a right that is a necessary and proportionate measure in a democratic society to achieve the objectives set out in Article 23 (1) of the General Data Protection Regulation to determine whether the data processing for different purposes is compatible with the purpose for which the personal data were originally collected, the controller shall take into account, inter alia: (a) between the purposes for which the personal data are collected and the purposes for which they are intended to be further processed possible contacts; (b) the conditions for the collection of personal data, in particular the data subjects and the relationships between data controllers; (c) the nature of the personal data, in particular that they are personal data within the meaning of Article 9 whether it is a matter of dealing with special categories or whether it is a matter of criminal liability on the processing of personal data in accordance with Article 10. this word; (d) the possible consequences for data subjects of the intended data further treatment; (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation. (23) Pursuant to Article 9 (1) of the General Data Protection Regulation, racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership personal data and genetic data for the unique identification of natural persons biometric data, health data and the sexual life of natural persons or processing of personal data concerning sexual orientation - the general data protection regulation Except in the exceptional cases provided for in Article 9 (2), it shall be prohibited. (24) According to Article 12 (1) of the General Data Protection Regulation, the controller is appropriate take measures to ensure the processing of personal data by the data subject all the relevant information referred to in Articles 13 and 14 and Articles 15 to 22. and Article 34 each piece of information in a concise, transparent, comprehensible and easily accessible form, in a clear manner and provide any information addressed to children, in particular, in plain language in the case of. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means must also be provided. Oral information may be provided at the request of the data subject, provided otherwise the identity of the data subject has been established. (25) According to Article 12 (2) of the General Data Protection Regulation, the controller shall facilitate: concerned 15-22. exercise of their rights under this Article. (26) In accordance with Article 13 of the General Data Protection Regulation 1. Where personal data concerning the data subject are collected from the data subject, the controller shall: at the time of obtaining the personal data from the data subject each of the following information :, 15 (a) the identity and contact details of the controller and, if any, of the controller 's representative; (b) the contact details of the Data Protection Officer, if any; (c) the purpose of the intended processing of the personal data and the legal basis for the processing; (d) in the case of processing based on Article 6 (1) (f), the controller or a third party legitimate interests of a party; (e) where applicable, the recipients or categories of recipients of the personal data, if any; (f) where applicable, the fact that the controller is a third country or international organization personal data and the Commission’s Compliance Office the existence or absence of a decision in accordance with Article 46, Article 47 or Article 49 (1) in the case of the transmission referred to in the second subparagraph of the means of obtaining the guarantees and the means of obtaining a copy thereof, or reference to their availability. 2. In addition to the information referred to in paragraph 1, the controller shall process personal data at the time of acquisition, in order to ensure fair and transparent data management provide the data subject with the following additional information: (a) the period for which the personal data will be stored or, if that is not possible, that period aspects of its definition; (b) the data subject's right to request from the controller the personal data concerning him or her access to, rectification, erasure or restriction of the processing of data, and may object to the processing of such personal data and to the portability of the data concerned the right to (c) information based on Article 6 (1) (a) or Article 9 (2) (a); in the case of data processing, the right to withdraw the consent at any time, which does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal; (d) the right to lodge a complaint with the supervisory authority; (e) that the provision of personal data is required by law or by a contractual obligation based on or a precondition for concluding a contract and whether the person concerned is obliged to be personal provide information on their possible consequences failure to provide data; (f) the fact of automated decision-making referred to in Article 22 (1) and (4), including: profiling and, at least in these cases, the logic used understandable information on the significance of such processing and on the data subject its expected consequences. (3) If the data controller has access to personal data for purposes other than the purpose for which they were collected intends to carry out the processing, it must inform the data subject before further processing this different purpose and any relevant additional information referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 shall not apply if and to the extent that the person concerned is already has the information. (27) Under Article 21 (1) of the General Data Protection Regulation, the data subject is entitled to: protest your personal data at any time for reasons related to your situation in accordance with Article 6 (1). based on those provisions, including those provisions based profiling. In this case, the data controller may not process the personal data unless the controller demonstrates that the processing is justified by compelling legitimate reasons. justified by the interests, rights and freedoms of the data subject or to bring, assert or defend legal claims are related. (28) According to Article 21 (2) of the General Data Protection Regulation, if personal data is handled for the direct acquisition of business, the data subject is entitled to do so at any time object to the processing of personal data concerning him for this purpose, including profiling also in so far as it relates to the direct acquisition of a business., 16 (29) Under Article 22 (1) of the General Data Protection Regulation, the data subject is entitled to: do not cover only automated data processing, including profiling, the scope of a decision based on a decision which would have legal effects on him or a similar degree of effect on him would be affected. (30) According to Article 24 (1) of the General Data Protection Regulation, the controller is the controller nature, scope, circumstances and purposes, and the rights and freedoms of natural persons taking into account the reported risks of varying probability and severity implement organizational measures to ensure and prove that personal data shall be processed in accordance with this Regulation. These measures are taken by the data controller review and, if necessary, update it. (31) According to Article 25 (1) of the General Data Protection Regulation, the controller is a scientific and the state of the art and the cost of implementation, as well as the nature and scope of data circumstances and purposes and the rights and freedoms of natural persons taking into account both the probability and the severity of the risk as well as the appropriate technical and organizational arrangements for data management implement measures, such as pseudonymisation, aimed at complying with data protection principles, such as the effective implementation of data saving, on the one hand, and the provisions of this Regulation, on the other incorporating the guarantees needed to meet the requirements and protect the rights of those concerned into the data management process. (32) According to Article 25 (2) of the General Data Protection Regulation, the controller is appropriate implement technical and organizational measures to ensure that by default only personal data that is subject to that specific data processing should be processed necessary for the purpose. This obligation applies to personal information collected the extent of their handling, the duration of their storage and their availability. These are measures in particular need to ensure that personal data is provided by default they cannot be accessed indefinitely without the intervention of a natural person for number of persons. (33) According to Article 57 (1) (a) of the General Data Protection Regulation, the general without prejudice to the other tasks set out in the Data Protection Regulation, the supervisory authority shall have its own monitor and enforce the application of the General Data Protection Regulation. (34) Pursuant to Article 58 (2) of the General Data Protection Regulation, the supervisory authority acting in its corrective capacity: (a) warn the controller or processor that certain data processing operations are planned its activities are likely to infringe the provisions of this Regulation; (b) reprimands the controller or the processor if he or she is acting in a data-processing capacity has infringed the provisions of this Regulation; (c) instruct the controller or processor to comply with this Regulation the exercise of his rights under this Regulation; (d) instruct the controller or processor to carry out its data processing operations, where applicable in a specified manner and within a specified period, bring this Regulation into line with its provisions; (e) instruct the controller to inform the data subject of the data protection incident; (f) temporarily or permanently restrict the processing, including the prohibition of the processing is; (g) order personal data in accordance with Articles 16, 17 and 18 respectively rectification or erasure of data and restrictions on data processing, and Article 17 (2), Article 17 order notification to the addressees in accordance with with whom or with whom the personal data have been communicated; (h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43 revoke a duly issued certificate or instruct the certification body not to issue the certificate if the conditions for certification are not or are no longer met; (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case in addition to or instead of the measures referred to in this paragraph; and (j) order the flow of data to a recipient in a third country or to an international organization suspension. (35) Pursuant to Article 83 (1) of the General Data Protection Regulation, all supervisory authorities ensure that the general data protection Regulation referred to in Article 83 (4), (5) and (6) The administrative fines imposed for breach of this Directive shall be effective and proportionate in each case and be dissuasive. (36) Pursuant to Article 83 (2) of the General Data Protection Regulation, administrative fines are imposed by Article 58 (2) (a) to (4) of the General Data Protection Regulation, depending on the circumstances of the case. It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding that whether it is necessary to impose an administrative fine or the amount of the administrative fine In each case, due account shall be taken of the following: (a) the nature, gravity and duration of the breach, taking into account the processing in question the nature, scope or purpose of the infringement and the number of persons affected by the infringement; the extent of the damage they have suffered; (b) the intentional or negligent nature of the infringement; (c) the mitigation of damage caused to the data subject by the controller or the processor any measures taken to (d) the extent of the responsibility of the controller or processor, taking into account the technical and organizational measures taken pursuant to Articles 25 and 32 of the General Data Protection Regulation measures; (e) relevant infringements previously committed by the controller or processor; (f) the supervisory authority to remedy the breach and the possible negative effects of the breach the degree of cooperation to alleviate (g) the categories of personal data concerned by the breach; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor has reported the breach and, if so, what in detail; (i) if previously against the controller or processor concerned, in the same referred to in Article 58 (2) of the General Data Protection Regulation compliance with one of those measures; (j) whether the controller or processor has complied with the general data protection rules codes of conduct approved pursuant to Article 40 of this Regulation or general data protection approved certification mechanisms in accordance with Article 42 of the Regulation; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, such as financial gain gained or avoided as a direct or indirect consequence of the infringement loss. (37) Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisions apply an administrative fine of up to EUR 20 000 000 in accordance with paragraph 2 or, in the case of undertakings, the total worldwide turnover in the preceding business year up to a maximum of 4%, with the higher of the two amounts to impose :, 18 (a) the principles of data processing, including the conditions for consent, are laid down in the General Data Protection Regulation In accordance with Articles 5, 6, 7 and 9; (b) the rights of data subjects under Articles 12 to 22 of the General Data Protection Regulation. in accordance with Article (c) the transfer of personal data to a recipient in a third country or to an international organization Articles 44 to 49 of the General Data Protection Regulation in accordance with Article (d) Article IX of the General Data Protection Regulation. in accordance with the law of the Member States adopted pursuant to this Chapter liabilities; (e) the supervisory authority in accordance with Article 58 (2) of the General Data Protection Regulation temporary or permanent restriction of data processing or the flow of data non-compliance with the request for suspension or general data protection failure to grant access in breach of Article 58 (1) of the Regulation. (38) Infotv. Pursuant to Article 75 / A, the Authority is required to comply with Article 83 (2) to (6) of the General Data Protection Regulation. shall exercise the powers set out in paragraph 1, taking into account the principle of proportionality, in particular: by the law on the processing of personal data or by the European Union in the event of a first breach of the requirements laid down in a mandatory act of the in accordance with Article 58 of the General Data Protection Regulation it takes action by alerting the controller or processor. III. Findings and decision of the Authority III.1. Recorded conversations conducted by Customer's telephone customer service description of data management related to the analysis of sound recordings (39) The Client, as a financial institution, operates a telephone customer service. In this context, certain In some cases, it is a legal obligation to record a conversation with telephone customer service and preservation. The present procedure of the Authority is the further processing of data on recorded audio files focused on operations, not voice recording. (40) The data controller is the data processing carried out in connection with the sound analysis with the Software in the case of both the decision-making authority and the Client's own statements. It is up to the Customer to decide the use of the Software and its terms of use in internal regulations. (41) All telephone customer service calls are non-substantive calls of a few seconds except for the audio of the call is recorded and stored in the Customer's systems. (42) The recorded audio material is included in the Customer's telephone customer service employee as a concerned person and a third party called by him or by calling the Customer’s telephone customer service the affected voice of a party, in addition to which a single unique is associated with it in all systems of a Client caller ID, caller / called phone number, call direction, time, agent name, organizational unit. (43) Every night an automation runs on the Customer 's voice recording server, which destroys the 5 seconds. Speech signal processing based on artificial intelligence in addition, the wait / silence / talk to each other is automatically analyzed, the keywords from the list provided and the emotional / mood status of the speaker. This may be associated with a specific person as it may be filtered out if the Software affects an employee’s emotion recognized and not the caller, which is the default assignment provided by Customer in the above (4) paragraph (xi). Declaration under the same subparagraph - and the technical “voice A system based on the recognition of emotions under the annex entitled "screens.docx.doc", 19 its efficacy is highly questionable, as there was no recognizable emotion in 91.96% of cases in. In this respect, the Authority emphasizes that personal data are not but will be personal data when assigned to a specific person. For example, an inaccurately recorded and unrealistic storage of data stored in connection with a given identifiable data subject there will be treatment on the part of that data controller as if the data were accurate. (44) Analysis, use and storage of the voice and emotional / mood status of the stakeholders sensitive data processing. Although the Authority considers that this is not the case a special category of person within the meaning of Article 9 (1) of the General Data Protection Regulation data, however, their processing affects the privacy of the data subjects. (45) The Authority considers that the data generated by the data processing under investigation are general special categories of personal data under Article 9 (1) of the Data Protection Regulation in the light of all the circumstances of the present case, it held as follows. Sound analysis of the data that make up the result, only emotion, mental state is what is given biometric data or health data. In the present case, the according to the revealed facts, the data analysis does not create data that uniquely identify the data subject, thus, this condition of biometric data is missing. And that condition does not apply to health data that a meaningful conclusion can be drawn as to the physical or mental state of the person concerned deducted from the outcome of the data processing at issue in the present case. Regardless, not the employee method or the quality of the data itself, the conditions are not met, so it may be different In similar cases, similar data may be classified as a special category of personal data other circumstances, in conjunction with additional data - which is present the above conditions are met. (46) Based on the above, the Software evaluates by waiting / talking / talking to each other. the performance of the Customer’s telephone customer service employee based on the manager employees in accordance with the statement of the Client indicated in sub-paragraph (xiv) of paragraph (2) above individual development, field training, process development, and the Customer may order the above (4) According to the statement indicated in sub-paragraph (i) of this paragraph, this is the Customer's telephone customer service also affects your employee’s performance pay. (47) The Software will also record the results of the recognized keywords and emotions for each call. and calls can be retrieved for up to 45 days within the Voice Analyzer Software. however, they remain beyond the sound recording system. In this context, paragraph 3 (iii) above The data management information containing the content indicated in subsection 3.1.8 only refers back to the provisions of section 3.1.8 which lists different retention periods for several data processing purposes for different purposes is not clear and transparent to the average stakeholder. (48) The Software will rank the calls based on the above, which is a suggestion of which the data subject should be recalled in the first instance, which complainant is more dissatisfied. In this, the data subject a to describe a typical emotional, mental state based on an analysis of the Software at the time of the call data is also stored in the Software when connected to the call. Based on this, the Client is in a senior position employees decide which customer service to call back to deal with dissatisfaction for the purpose. The purpose of the Software is not to handle individual complaints, the complaint indicated on the telephone regardless of the operation of the Software, any complaint will be handled in any way by customer service staff. The purpose of the recall is not to deal with the specific complaint, but to regardless of the resolution of the specific complaint of the customer in principle filtering and management. (49) The Client’s decision in the History Case referred to in sub-paragraphs (iii), (iv) and (v) of paragraph 2 above the purpose of data management is to control the quality of calls with variable parameters, 20 based on, complaint and customer migration prevention, and call handling staff increase its efficiency. The information provided to the persons concerned on the Customer's website in accordance with paragraph 3 (iii) above The data management prospectus containing the content indicated in subsection 1 is very general in the first place in relation to data management, "performs profiling based on a legitimate interest and automatic decision - making selects calls in which a higher-skilled bank employee recalls eliminates the problem of the telephone conversation, complaint "does not inform the sound analysis is substantive method and essence, does not articulate clearly. The prospectus also covers quality assurance and complaint prevention is for purposes only, but also the above description, which does not provide meaningful information concerns the prevention of a complaint. For this reason, with the existence of data management, its essential content and all its purposes are clearly unaware of those concerned, and this information is not received during a phone call or callback. (50) The Client has based the above data processing on its legitimate interests in order to retain its clients and increase the efficiency of its internal operation. These interests, which are very different, however, no data processing is required in either the minimum prospectus or the balance of interests separated, they were handled together by the Customer. (51) Although not the subject of the present proceedings, the Authority notes that it is general Prior to the entry into force of the data protection decree, the Infotv. Pursuant to Section 68 (4), due to the application of the new data processing technology, the examined data protection registration would not have been automatic. The Authority is the Customer upon request, the conditions and guarantees of data processing in such cases shall be individually assessed by the Authority without its prior approval, the Customer would not have been able to start processing the data. Because this is the approval procedure was not blamed on the Client, therefore the Authority obtained it with a significant delay be aware of this data management. In addition, the information sent by the Client to the Authority pursuant to Article 30 of the General Data Protection Regulation nor does it mention the data management records related to sound recordings by processing the sound recording data management, storage only. III.2. Application of the General Privacy Policy to Data Management with the Software (52) Under Article 4 (1) of the General Data Protection Regulation, the quality of 'personal data' can be indirect identification is also sufficient. (53) Article 57 (1) (a) and Article 58 (2) of the General Data Protection Regulation Article 83 (1) (b) and (d), Article 83 (1), (2) and (5) and Infotv. Pursuant to § 75 / A a Authority examined ex officio in the course of its proceedings the general practice of the Customer affecting the present case part. The Authority shall inform Infotv. Section 71 (2) in any other proceedings may use evidence in other proceedings. (54) The Client stated that it had received a letter dated 5 July 2021, registered under number NAIH-5161-5 / 2021. in its response to the History Case that, in its opinion, the Software does not store an identifier data and analysis results generated by the Software by the caller and customer service representative is not personal information about his emotional state because it cannot be linked to anyone, and the system a compared to the operation of traffic counters and traffic lights. That's obvious denies the NAIH-5161-10 / 2021 received by the Client in the History Case on 16 August 2021 information in its reply, registered under number, that the customer service telephone calls are one they have a unique internal identification number that is on the Customer's systems in addition to the Software they can also be contacted within the caller and the customer service representative and this unique ID is also used as a pseudonym by the Software. When applying the consequence (eg recall, sending to training) this connection is realized. A traffic counter or traffic light, 21 for example, the fourth car that passed in front of it and the driver cannot be re-identified to draw. The Software does not operate on this principle at all, but is expressly intended to be specific to take action. (55) Based on the above, both parties to the call can be clearly identified by the Customer, which during the normal operation of the system, the Customer shall continuously whose recorded calls are intercepted and subsequently recalled accordingly, or an employee working by telephone customer service is evaluated based on this. If you didn't the Customer, but you would have the opportunity to do so, it would still be personal data for analysis by the Software result until the irreversible termination of the relationship with that identifiable stakeholders. (56) The above interpretation is confirmed, inter alia, by the judgment of the Court of Justice of the European Union in Case C-582/14 judgment on dynamic IP addresses analogous to the present case, which are also personal data for all controllers who, by lawful means, even indirectly, access to the information from the ISP which subscriber belonged to an IP address at a given time. In this case, the required identifier information-alias ID link with phone number and other call details - is available to the Client within its own systems, so there can be no question that it is legal a tool was available for this. It is important to emphasize that it is a legal instrument designated by the court the concept does not refer to the lawfulness of data processing, compliance with data protection rules, but that the instrument used is not in itself infringing (such as a black market database is an infringing tool regardless of the data processing it performs). By infringing means it is not possible to carry out lawful data processing from the outset, but by lawful means from other conditions - purpose, legal basis, etc. - depending on the law, the data processing may be lawful or illegal. In the absence of identifiable based on the results of the analysis, the customer service would obviously not know who to call back, nor would the customer service staff be as controllable as the Customer checks them on the basis of its own declarations. (57) Although the Authority's investigation focused on the operation of the Software, it is such a complex data management the nature of the personal data is not determined by the fact that they can be identified within a subsystem. e is concerned. It is necessary to examine all data sources legally available to the Customer whether the condition of direct or indirect identification is met. The pseudonym (use of pseudonymous identifiers) enhances data security, but is not affected by unique identifying nature and quality of personal information of third party affected callers with regard to. With respect to Customer's telephone customer service personnel a the nature of personal data cannot even be questioned, as their names are also stored in that particular recording linked to an analysis result that is linked to a specific audio recording. The third Article 4 (1) of the General Data Protection Regulation is implicit in relation to data subjects identifies identifiable with direct identification and general Under Article 4 (5) of the Data Protection Regulation, the pseudonymous identifier itself is personal data other information stored in connection with it, provided that the identifier itself is given can be linked to a natural person. And a phone call doesn’t exist on its own, there is one behind it is a natural person. Customer service is always available at the beginning of telephone conversations identifies the person you are talking to, so both the listener and the potential retrievable recordings contain identifying information. That it turned out to the Customer according to his own statement, that in some cases the emotion recognized belonged to his own employee, it also justifies the possibility of unique identification. 1https: //curia.europa.eu/juris/document/document.jsf? Docid = 184668 & doclang = HU & cid = 1095511, 22 (58) Based on the above, the emotional state recognized by the Software, the length of silence, and the data associated with the caller ID and telephone number used will continue to be personal data shall be deemed to be independent of their encryption or pseudonymisation as long as they belong to certain persons may be linked to other data lawfully available to the Customer. The tapping back during the first audible data on the audio recording is always the identification of the speaker, so the listener in the case of recordings, there is not even a pseudonym at this point in the data management. It is independent of that whether the connection is made by the Customer in 2 specific cases, it is sufficient that legal means are available a available to you. From the fact that the length of silence, for example, is not primarily to the calling party, but to draw conclusions about the work of a customer service representative - which you are whether or not they are relevant to the human inspection - even where appropriate by the worker their personal data for the duration of the data processing. The fact that a piece of data is subsequently incorrect, inaccurate it turns out it does not yet call into question the nature of its personal data, as any - not just real - data linked to a specific natural person results in personal data. (59) In the light of the above, the provisions of the General Data Protection Regulation apply in principle apply to data management using the Software and is not applicable in the present case the opposite is true. III.3. Application of Artificial Intelligence in the Software (60) The Client received the present proceedings on 29 October 2021 under number NAIH-7350-2 / 2021. in its registered reply, it stated that “the Software does not use artificial intelligence contains no automated decision, the results of its analysis are solely with human input, may be used for interpretation. " (61) Information about the Software available through a public Internet search is provided by the company that developed it examining the website, the questions asked by the Authority and the answers given to them found the following. The software development company has one, its products more Hungarian company distributing in the country. According to the description available on the company’s website: “artificial intelligence and predictive analytics solutions, software development and customer service activities consulting, operations, project and HR management company […]. '3 (62) The basis of the operation of the Software is highlighted on the above Hungarian language website of the company An application called the Sound Analysis Platform ('the Platform'), which is described on the website as the developer published the following description: “The platform is a comprehensive one based on speech and data analysis performance and quality management solution for customer services. The application analyzes conversations at customer service from both the customer and operator side are recognized by angry, dissatisfied, frustrated, uncertain, neutral or satisfied atmosphere and additional factors affecting customer service quality and performance factors such as silence, music, speech rate, volume, speech quality and intonation, and other quality features. The system has full insight into all conversations being processed provides elements that have a decisive influence on the quality and performance of customer services. Get the most out of your customer service, reduce your average call time, and increase your performance the standard of customer service at the same time. In addition to advanced business intelligence-based analytics, active 2 when a website is made available to the public by a person, the data recorded by that service provider a dynamic IP ‑ address shall be considered as personal data in accordance with this provision for that service provider if it is lawful means are available to the person concerned at his or her internet service provider additional data " 3 […], 23 with automated performance management support, the system will be able to to make operator work more efficient. " 4 (63) According to the description in the English information page on the Platform, the Platform is mechanical it uses learning and artificial intelligence to identify and measure speech style based emotions, keywords and phrase-based emotional and such 5 speech characteristics such as speech rate, pitch, and articulation. On the side a statement from the developer regarding the operation of the product, that a well-trained neural network sorts the sound fragments into three main ones 6 category. (64) As stated in the descriptions referred to, the Platform is concerned with both artificial intelligence, machine learning and neural networks. (65) Artificial intelligence is the development of computers and robots in a way that allows them to operate in ways that can mimic or exceed human capabilities. Programs using artificial intelligence are able to analyze and place the data in context to provide information, or automatically 7 trigger certain events without human intervention. (66) Machine learning is, in fact, one of the possible paths to artificial intelligence algorithms are used in this subfield of artificial intelligence in such a way that they learn to automatically recognize what is present in the data patterns and correlations and then apply what they learn to make better decisions (or make better and better decisions). 8 (67) Neural networks are a possible approach within the field of machine learning, which building on a simplified scheme of human brain function, it seeks to provide a solution such as tasks that ordinary algorithms fail. The neural network is simple consists of units - neurons - each of which, in the pattern of real nerve cells, receives incoming signals receives and then outputs them together. However, the incoming signals are not the same individual neurons are taken into account to determine the output value, but described in statistical terms - weighted. The reason for this is illustrated by an example in best to use the neural network to estimate (forecast) real estate prices applied, the significance of a property in Budapest is not as important is located in the 3rd district and what is the level of comfort than in the 3rd or 4th. is located on the first floor. It is important to note that although neurons perform calculations, they do yet no processors. The main difference between the two is that as long as the processors programmed, that is, to be executed one after the other, essentially bound, and thus not by itself 4 […] 5 „[…] uses Machine Learning and Artificial Intelligence to identify and measure speech style based emotions, keyword, and expression- based sentiment, and speech characteristics such as speech rate, intonation, articulation, etc. ” 6 "An extensively trained deep neural network classifies speech segments into three main categories […]" 7See: https://ai.engineering.columbia.edu/ai-vs-machine-learning/ “Artificial Intelligence is the field of developing computers and robots that are capable of behaving in ways that both mimic and go beyond human capabilities. AI-enabled programs can analyze and contextualize data to provide information or automatically trigger actions without human interference. "; confirms this approach inter alia the legislative proposals of the European Union in the draft phase: https: //eur-lex.europa.eu/legal- content / HU / TXT / HTML /? uri = CELEX: 52021PC0206 8 See https://ai.engineering.columbia.edu/ai-vs-machine-learning/ “Machine learning is a pathway to artificial intelligence. This subcategory of AI uses algorithms to automatically learn insights and recognize patterns from data, applying that learning to make increasingly better decisions. ” 9 See more: Report from the Council of the European Union on artificial intelligence, its key competences and scientific methods; published: April 8, 2019; URL: https://digital-strategy.ec.europa.eu/en/library/definition-artificial-intelligence-main- capabilities-and-scientific-disciplines, 24 they are given a modifiable sequence of instructions that are always predefinable output meanwhile, the neurons are taught by adjusting the values of the weights, so they a depending on the algorithm used, even a value not known in advance by the user of the algorithm may result. 10 (68) According to the descriptions referred to above, the developer itself provides information that Platform as a software product, what parameters can identify and evaluate, and how to do so what IT methods and solutions in the field of artificial intelligence apply. (69) The Software is capable of being received and initiated by call center employees calls are automatically evaluated according to predefined rules, such as Check the employee according to the “greeting rule” properly greeted the customer, or the so-called. “Test rule” that the system is capable of check that the employee has tried to collect a sufficient number of questions from the client necessary information. (70) The system is an automatic evaluation of the performance of telephone customer service staff it is also able to measure how long it takes to ask a question within a call and the substantive response by listening to the worker (the so-called ‘silence period’), from which it is clear a conclusion can be drawn as to the level of knowledge and preparedness of the employee. 12 (71) Based on the above, it can be concluded that the Software using artificial intelligence performs the automatic processing of personal data, the result of which is, on the one hand, the data set up by it a list of the order to be recalled and, on the other hand, until they are deleted - which is the duration in the Client History Case 45Days - Recognized Emotions and Voice Recording Features for Individual Calls (eg length of breaks). It is not a condition for automatic data processing that the machine brings the decision, it is sufficient if the aim is to produce a result that influences decision-makers, are taken into account in the human decision that is being made here. This is confirmed by the Customer in the History Case 2021. The annex to the reply, received on 5 July, registered as NAIH-5161-5 / 2021 which, in the name of the file name, is a balancing of interests, in fact a privacy impact assessment document (identifier: ‘balancing test voicemining.xlsx’), according to which ‘Data management high risk for a number of reasons, in particular the novelty of the technology used, for audio recordings are analyzed automatically using artificial intelligence and findings are also made automatically. The totality of the data is from both stakeholder groups suitable for profiling or scoring, although automated decision making is not in the process, the processing may have legal effects on data subjects. ". (72) For the purposes of the foregoing, the Article 21 of the General Data Protection Regulation. In addition, the General Data Protection Regulation4. Article 4 (4) profiling will also take place as the data generated by the system - the system is essential due to its functionality - at the workplace of the Customer's telephone customer service employees shall also be used to monitor and evaluate the performance of those referred to in paragraph 4 (i) According to the Customer Statement and the online source identified in paragraph 66. It also supports profiling to rank dissatisfied customers for recalls based on keywords and emotions, which qualifies as a personal characteristic within the meaning of Article 4 (4) of the General Data Protection Regulation 10See more: Tamás Klein: Robot law or human rights? In: “Regulatory Challenges of Artificial Intelligence”, Budapest, 2021, 129. see also “A Closer Look at Neural Networks”; published: 08.08.2019 on the day; URL: https://docs.microsoft.com/en- us / archive / msdn-magazine / 2019 / february / artificially-intelligent-a-closer-look-at-neural-networks 11 […] 12 […], 25 evaluation. The term profiling is also used by the Client in paragraph 3 (i) above internal complaint concerning customer complaint number […] described in paragraph 3 (iii) (c) above. the data management information described in Data management is about the emotions of natural persons is based on a technology that performs analysis. This is with the statements made by the Client during the proceedings contrary to Article 24 of the General Data Protection Regulation. In accordance with the risk-based approach set out in Articles the responsibility of data controllers has also increased. III.4. Lack of proper information and right to protest (73) With sound analysis and automatic analysis and evaluation of their emotions, and from this no information has been provided to those concerned regarding the possibility of a subsequent recall they are given orally at the beginning of the conversation. (74) Customer does not provide any information referring to data management with the Software, but not specific information “Telephone Customer Service and Complaint Handling detailed data management information ”that states,“ Telephone customer service perform profiling based on legitimate interests for quality assurance and complaint prevention purposes; and selects calls in which the higher-skilled bank employee is qualified by automatic decision it eliminates the problem or complaint that arose during the telephone conversation by calling back. ”. In addition, the data subjects do not receive any information on what specific type of data they are how and how they are treated to evaluate their emotional reactions. Article 13 of the General Data Protection Regulation. It does not contain all the mandatory information other than the legal basis and does not indicate the purpose complete. Neither the “Telephone Customer Service and Complaint Handling Detailed Data Management Information” 3.1.8 of the Business Rules. does not indicate clearly and intelligibly to the average person concerned the duration of the data processing. (75) The purpose of the above information is to ensure quality assurance and to prevent complaints. Neither is that preventing customer migration or increasing internal efficiency are not included among the objectives set for it. (76) The Client’s statements set out in sub-paragraphs (vii) and (viii) of paragraph 4 above shall also be the above is confirmed by the fact that the Customer is aware that the sound analysis under consideration has not provided adequate transparency and transparency in the context of data processing for years concise information and the right to protest because of their particular difficulty. The opposite is true Customer data management information that states that it ensures the rights of the data subject. The Customer is reference to, inter alia, the adequate security of the rights of the data subject classified as risk - free and harm - free for several reasons data management. (77) The right to object to an automated data processing is not based on a legitimate interest depends on the decision of the data controller, the Customer is obliged to ensure the general data protection also under Article 21 of that Regulation. Due to the complete lack of a right to protest, basically in the present case there is in any case a breach of Article 21 of the General Data Protection Regulation, but in principle a Authority notes that telephone agitation for customer retention is similar to customer acquisition Article 21 (2) of the General Data Protection Regulation. shall have an objective right of objection in accordance with paragraph 1, for other purposes, quality control, increasing internal efficiency - Article 21 of the General Data Protection Regulation. A conditional right of objection pursuant to Article 1 (1) shall be granted. Not because of that, among other things the different purposes of the processing and the interests of the controller in the balancing of interests are appropriate, co-washing and joint evaluation as the end result - and the corresponding end result conditions to be met - may not be the same for each goal. (78) Although the consent was not cited by the Client as a legal basis, it also referred to this. With this In this respect, the Authority notes that it is only appropriate under the General Data Protection Regulation with in-depth knowledge, consent could be given through free and active action the basis of data management, which is the refusal of the service (telephone customer service) as excluded with legal consequences. The same is true for employees, as a rule of thumb According to the Commission, the application of that plea is precluded, it is entirely free from interference unthinkable in connection with the order. It is also fundamentally flawed and unacceptable Customer's argument that no complaint has been received so far with the data processing under investigation even if the persons concerned could not have been aware of it. (79) Based on the above, it relates to the analysis activity of the Customer's customer service sound recording processing of personal data in its present form infringes Article 5 (1) (a) of the General Data Protection Regulation. and (b), Article 12 (1), Article 13 and Article 21 (1) and (2). III.5. Qualification of Balance of Interest in Data Management with the Software (80) Artificial intelligence is defined in section III.3 above. operating principle as set out in point difficult to see and follow. This is one of the reasons why it requires special attention - not only that described on paper but actually implemented - the use of artificial intelligence is in the case of data processing where the transparency and transparency rules of the General Data Protection Regulation apply the data controller wants to meet the accountability conditions. This is beyond an average risk from the default expectation level for data processing, and - taking into account the risk-based approach under Articles 24 and 25 of the General Data Protection Regulation In view of the difficulty, the controller must decide when and for what uses artificial intelligence and how it ensures transparency in this regard. (81) An emotion analysis and satisfaction evaluation and recording system used in the Software effectiveness of the technical annexes submitted by the Client in the History Case (identifier: “voice screens.docx.doc ”) is relatively low. Nor does it reinforce that particular form implemented sound analysis is suitable to achieve the stated goals and use the current would be an unavoidable and proportionate restriction on the rights of data subjects, even if - not as in the present case - the rights of the data subject would be adequately secured by the Client. The client its balance of interests did not take this into account in any way from the date of the balance of interests or information about the review is not supported by the documents provided by the Customer, nor does it appear from the balance of interests that any regular review would be scheduled to verify that the actual operation of the Software meets expectations and adequately protects the rights of those concerned. (82) Customer's voice analysis activity using artificial intelligence - in particular, the assessment of the emotions of data subjects raises in itself a principle of data protection issues. In its 2012 annual report, the Authority stated years ago that “A The financial sector is at the forefront of new data management technologies. The bank hidden information from the analysis of the audio of conversations with its customer service they can also be extracted, from which the customer's ability to pay and ability to pay can be deduced. THE the use of tools to examine psycholinguistic traits and the emotional charge of speech However, it is not sufficient to examine the formal existence of the data subject's consent. THE Ranking technology based on speech processing is an intervention to such an extent that to the private sector and carries risks which the data subject incurs when giving his consent, unable to recognize and judge their impact on his or her rights to privacy. The Authority drew attention that data mining technology puts the financial institution in possession of data that which the client is not even aware of, so the use of such tools is the subject of the procedure 13 from its subject to its subject matter. " This is also evidenced by artificial intelligence the choice of the method of data processing and the guarantees and rights of the data subject is of paramount importance. Aliasing - the use of an internal sound recording identifier - in general useful, but not sufficient in itself, especially in the present case. (83) Decision No 5/2021 of the European Data Protection Supervisor and the European Data Protection Supervisor. s. common opinion on harmonized rules for artificial intelligence (artificial intelligence) Regulation of the European Parliament and of the Council The European Data Protection Supervisor and the The European Data Protection Supervisor also believes that MI is an individual's emotion its use is extremely undesirable and should be prohibited for some well specific uses - namely for medical or research purposes (for example, patients for whom it is important to recognize emotions), except in all cases adequate safeguards and, of course, all other data protection conditions and restrictions including purpose limitation. ”4 (84) In addition to the above, the findings and the reasoning set out in paragraph 4 (vii) and (viii) above on the basis of the statements set out in points (a) to (d) is not provided for the specific data management method, so the rights of the data subjects are the Customer's customer service his practice of analyzing recordings made by telephone voice recording completely empties him. (85) The balance of interests was not determined on a case-by-case basis, but all objectives were combined into one data management. The issue of suitability and proportionality had to be achieved in order to achieve the given data management purpose instead, the Client has only its own interests, whether perceived or real, in its judgment whether data management is necessary and proportionate, and even this is only formal according to the criteria. The Client has only determined that it has an interest in achieving it data management is required to enforce it, not the rights of the data subject compared to individual purposes the impact of its activities in the event of Proportionality, the affected side is not actually examined and downplayed significant fundamental rights risks. He took it out in a very factual manner taking into account the guarantee effect of adequate information and the right to protest, which rights a in reality, due to the design of the system, they are not fully provided to those concerned depriving the data subject of the right to self-determination. Thus, the result of the balancing of interests is explained above is fundamentally incorrect and misleading as to suitability and proportionality, nor is it it compares what it should. The fact that the Customer has fewer customer service staff performing the tasks is not in itself a disproportionate and appropriate reason for those involved and by the Authority and the European Data Protection Board data processing, which is considered undesirable and a high risk form. Innovation only benefits people if it is effective and coupled with strong guarantees. The Customer provides the increased warranties instead of the opposite demonstrated during the clarification of the facts in relation to the sound analysis. (86) Unfounded or incorrect planning and consideration of data processing does not constitute For an unavoidable reason beyond the Client's control, it is solely an intentional act of the Client, which started or continued the data management in the knowledge that it is essential suffered from deficiencies and was not actually substantiated by a balance of interests, only papered. Customer has not demonstrated that any alternatives have actually been considered. THE 13https: //www.naih.hu/eves-beszamolok? Download = 17: naih-beszamolo-2012-februar 14See paragraph 35: https://edpb.europa.eu/system/files/2021-10/edpb-edps_joint_opinion_ai_regulation_en.pdf, 28 voice recording - in case of complaints due to a legal obligation, otherwise the decision of the Customer is an unavoidable element of telephone customer service, and a significant breach of interest is that telephone customer service is not available to anyone who is connected to it at all - not at all you do not want to accept data management. If the Customer is required to record you want to perform additional data management operations with sound recordings, you want to analyze them automatically with new and not completely known risky technologies, it must comply with Article 6 (4) of the General Data Protection Regulation, as for a purpose other than that for which the data were collected wishes to process personal data. In such a case, whether those concerned can expect to be reasonable for data processing and new data processing for the original purpose - in this case the legal obligation the data controller is obliged to do so to check before starting data processing and the existence of appropriate guarantees is required to provide on an ongoing basis. Without the substantive knowledge and choice of those concerned, one an analysis of the sound recording available for a completely different reason cannot be considered from a data protection point of view it is lawful if the persons concerned could not have become aware of it, and the rights of the persons concerned by the guarantee they are missing, which, despite the knowledge of the Client, was not taken into account later, even in the knowledge of the Client continued data management. This justifies the intentional nature of the infringement. (87) At the discretion of the Client, the voices of its employees will also be analyzed and evaluated, which is based, inter alia, on Customer's declaration under paragraph 4 (i) above they are also used for performance pay. In the case of employee employees, it is also questionable whether how much actual protest they would have because of the dependency. This circumstance as well not considered by the Customer. Monitoring the performance of the contract with regard to employees, quality assurance, due to labor law rules, may be justified in certain circumstances certain legitimate interests. However, even in this case, suitability and proportionality are paramount which is, inter alia, the Client's own statement pursuant to paragraph 4 (xi) above nor is an appropriate system of guarantees provided in a conditional manner workers who are more vulnerable than a third party. The no an emotional analysis that is demonstrably effective and deeply and severely restricts the right to self-determination nor can it be substantiated in a reasonable way for workers. As in the case of employees specifically for performance at work in accordance with Article 4 (4) of the General Data Protection Regulation associated profiling, as well as a thorough analysis of the rules and guarantees involved required before processing data with a new technology, which the Customer also did not do in the balancing of interests. (88) The Authority also does not share the Client's view that there is no harm to the parties concerned suffer in connection with the data processing under investigation. The General Data Protection Regulation a serves the protection of the right to the protection of personal data, which is enshrined in Article VI of the Basic Law. Article 3 and Article 8 (1) of the Charter of Fundamental Rights of the European Union is a fundamental right. In the relevant legislation - such as the general data protection Regulation III. The rights of data subjects for the protection of fundamental rights set out in even without direct financial loss, causes significant violation of fundamental rights, and this is the case for a large number of stakeholders. According to the Customer's statement, this is means data management for about 1-1.5 million voice recordings per year. (89) The Authority also considers the applicability of Article 22 (1) of the General Data Protection Regulation considered with respect to the data processing that is the subject of the present case, as it is also affected by the Customer rights of the data subject to be ensured. The Customer also failed to do so in the data management planning during. The decision based on fully automated data management is implemented in this case stakeholders who are not selected for recall by the system or indicated by their administrators error, so in these cases a negative decision is made without human intervention. The workers In this case, the evaluation of work performance is also carried out. Nevertheless, in the present case, the Authority stated noted that Article 22 (1) of the General Data Protection Regulation it does not materialize in the event of a negative decision that it would have legal effect or a similar significant effect stakeholders in a decision based on fully automated data management, as they do not a reaction occurs. Human intervention is required to take further action on those individuals selected by the Software for recall or employment review, such as a significant impact is realized, but the decision is based on fully automated data management condition is missing. Therefore, in the present case, in all the circumstances of the case, the Authority does not established the applicability of Article 22 (1) of the General Data Protection Regulation, thus nor is it a violation of it. However, in the case of extensive automated data management, the consideration of interests The deficiency of the data controller is confirmed by the fact that the data controller does not consider this possibility in substance, such as it was also omitted by the Customer in the present case. (90) As explained in this section, the balancing of interests carried out by the Client does not the result based on the analysis required by the General Data Protection Regulation the priority of the legitimate interest established over the rights and freedoms of the data subject is not can be established during the given data management. III.6. Legality of Data Management with the Software (91) Due to the invalidity of the balance of interests, the Authority considers that the sound recordings should be excluded nor in connection with its automatic analysis by the Customer legal basis under Article 6 (1) (f) of the Data Protection Regulation, nor any other general data protection There is no legal basis listed in Article 6 (1) of the Regulation. (92) The Customer makes no warranties or representations with respect to third party parties no right of protest has been granted so far, so there are objective factors outside of emotion in this regard (words, pauses) is only possible if it is appropriate for proportionality and necessity perform this activity with appropriate guarantees. If it is requires an analysis of factors other than emotions that can be clearly identified in the information to be performed by the Customer, only with the guarantees in accordance with the general data protection regulation, no you can do it indefinitely. One of the great challenges of artificial intelligence is to ensure transparency which, in the present case, has completely failed to reach the parties concerned. (93) It is easier for the Customer to know about its employees than for third parties to base the analysis of objective factors (words, pauses) other than emotions, as the to check the obligations related to the performance of the customer service position - the bank account Unlike management, customer service may be required in certain circumstances analysis of sound recordings. For employees, information is also easier than a caller in the case of a third party who, if applicable, does not even have any legal relationship with the Client. However, the use of new and high-risk technology - including Hungary Also highlighted in the framework of the Artificial Intelligence Strategy - only very strong guarantees and can be done with proper planning in a reliable and people-centered way. Rights of the data subject emptying cannot be the goal and the result of development. A proportionate amount of and The identification of these types of data requires a more thorough and verifiable justification for data management when planning. If you use innovative and less known and regulated technology as a data controller, the expectation is higher than in the case of classic technologies, so the enhanced safeguards and careful planning are also needed to control workers take effect. This form of monitoring and profiling - especially for employees 15See paragraph 72: European Data Protection Board and European Data Protection Supervisor 5/2021. s. common opinion Page 1634, “Creating an effective and supportive Hungarian regulatory environment and ethical framework necessary for the operation of MI taking into account the EU legal framework. " https://ai-hungary.com/api/v1/companies/15/files/146072/download, 30 raises a number of legal and ethical issues that the Customer has not identified and not handled during data management. (94) Based on the above, by automatically analyzing the customer service voice recordings data processing practices in this form violate the general data protection regulation Article 5 (1) (a) and Article 6 (1) and Article 6 (4). III.7. Systemic violation of data subjects' rights (95) Pursuant to Article 12 (1) of the General Data Protection Regulation, the Customer must be so concise and provide, in a comprehensible manner, the minimum information necessary to understand data management data subjects, on the basis of which the data subjects are at least as essential as the data processing they are aware. This will not be done by the Customer in advance or during recalls and those who call customer service on the phone can’t guess their voices are automatic and cannot reasonably expect to be recalled without request, inter alia because of the tone of their voice. In accordance with Article 24 (1) of the General Data Protection Regulation novelty nature of data management, analysis of emotions and other psycholinguistic analyzes based on the sensitive nature of the data and the other data processing conditions set out above the data processing should be designed to ensure the maximum protection of the rights of the data subject and freedoms, which he clearly did not do. The fact that there have been few complaints about this so far received does not confirm that it did not bother those concerned, but that it did not reasonably bother they may have known about this, which in itself strongly questions privacy compliance. (96) Pursuant to Article 12 (2) of the General Data Protection Regulation, the Client is obliged to facilitate the exercise of the rights of the data subject. The right to protest is a fundamental guarantee that is lacking at all regardless of the other circumstances, it could in itself have failed to give priority to the legitimate interest the finding. The existence of a legitimate interest is not sufficient, it must precede it which is clearly not the case in the absence of adequate guarantees may exist. Given that it is within the Customer’s discretion and is manifestly untrue circumstance is the assurance of the rights of the data subject, this is not a careless mistake, only it is intentionally so far removed from the facts and the theory described in the deliberations is practical its implementation can only be deliberately ignored for years without a substantive review. (97) Pursuant to Article 25 (1) and (2) of the General Data Protection Regulation, the Customer has become obliged should be assessed before starting automatic sound analysis using artificial intelligence, whether data management is feasible in the current technical and social context subject to maximum compliance with data protection rules. The Client's consideration of interest is the reasoning above Contrary to the statements made in paragraph 4 (vii) and (viii) and the facts illegal status. Customer knew, or with due diligence he or she could have known in a way that was possible or not before starting data management it is possible to inform those concerned and to enforce the rights of protest and other data subjects. Pursuant to the above and Articles 24 and 25 of the General Data Protection Regulation, the Customer does not presume it could have decided to start voice analysis data processing in this form. (98) Customer may use the Software prior to the application of the General Privacy Policy a It was introduced in 2017. It is not clear from the text of the impact assessment and the balance of interests that: when it was created by Customer and reviewed at any time. The general privacy policy a reference to a regulation does not in itself indicate a specific date of manufacture. The impact assessment is formal appropriate, but its content as explained in this decision does not correspond to reality, the the issue of analysis of emotions is not substantially resolved, and these shortcomings are not addressed by the Client was clearly aware at the time of the impact assessment and during the operation of the mandatory regular, 31 review, including the review due to the introduction of the General Data Protection Regulation, at the time. This is confirmed by the statements of the Client presented in this decision. The system of adequate information in the General Data Protection Regulation serves to: the data subject must be aware of which personal data, which data controller and for what purpose, how will you handle it. This is essential to be in a position to affect your rights can practice on the merits. Article 6 (1) (f) of the General Data Protection Regulation in accordance with paragraph 47 of the General Data Protection Regulation information requirement applies. It is referred to in Article 13 of the General Data Protection Regulation in addition to specific information, it is an additional condition that the reasonable expectation of the data subject should be cover that data processing, you should expect that. In the absence of adequate information the data subject is not in a position to exercise his or her rights properly, especially when there is no real possibility to exercise the substantive right of protest. THE the obligation to provide information is not, as explained above, a mere administrative, Means a “securitization” obligation in the General Data Protection Regulation. A document its production is not in itself the fulfillment of the data controller's obligations, it is only a means of recording it there must be a substantive consideration and decision preparation, decision, and necessary at intervals to review them. Applying a new type and high-risk technology There is an increased expectation for both regular and substantive review. All in the preamble both Articles of the General Data Protection Regulation require the controller to achieve a result in determining its responsibilities, not just a specified minimum administration by the controller. The purpose of the information is to put the person concerned in a position to to be in an appropriate decision-making position regarding the exercise of the data subject's rights. THE There is nothing meaningful about data management and sound analysis using software information is not available to those who call the Customer's customer service by phone, or who are called or recalled by Customer Customer Service. (100) In the context of a legitimate interest, it is important to emphasize that it does not serve to that, unless otherwise possible, the controller may at any time and for any reason on other grounds in the absence of applicability, in accordance with Article 6 (1) (f) data. Although it seems to be the most flexible legal basis, using it is the controller takes significant responsibility - not only for the processing of personal data in the strict sense, but also for by assuming other related warranty obligations. No It is therefore a question of 'paperwork', but of a substantive task, a statement which is particularly true in the case of data processing, where the data controller is in a position of trust and significant dominance against price participants. Infringement of the rights of the data subject in the absence of appropriate guarantees the risk is such that the balance of interests is the result of its actual exercise it can only reasonably be expected that the legitimate interest of the third party will be overridden by the rights of the data subject. (101) It is very important for data controllers to be aware that they are not concerned and are not the Authority has the task and responsibility to process the data instead of the data controller in an official procedure identification and justification of its purpose and legitimate interests. What purpose and how legitimate intends to process personal data in the interests of the data subject, the data controller must be specific, at the data and target level be clearly justified, weighed up and guaranteed. These guarantees must to ensure, inter alia, that the data subject is aware of the data processing and that be able to object to the data before the processing, since after the processing, especially in the case of short-term or one-off data processing - the right to protest is already exhausted, thus in fact, this right is not granted to him. In the present case, as explained above it can be stated that in recital 47 of the General Data Protection Regulation specified predictability and warranty conditions at system level, selected by Customer have not been met due to the mode of implementation. Possibility of adequate information and prior protest, it cannot be technically ruled out, only the solution chosen by the Customer did not allow the Client is aware of the statements made during the procedure and presented in the explanatory memorandum. (102) The violation or reduction of the rights of the data subject also means that the right chosen by the Customer is legitimate in the case of data processing based on the consent of the data subject the Customer provides worse conditions. In the case of the data subject's consent, the consent of each for data processing purposes, such as voice recording initiated by the data subject due to the handling of complaints and the subsequent analysis of the sound recording thus made - a separate reason for rejection would deserve. Because the recording of the sound is not in the first place with the consent of the data subject, but for the most part is based on a legal obligation which significantly restricts the freedom of the data subject from the outset in addition, with respect to further data processing, the Customer shall, at the unilateral discretion of all parties concerned the removal of the option only exacerbates the already severely restrictive situation. The client - among other things - he deliberately ignored this obvious fact on paper only in the sole discretion of its own business, which is contrary to the general rule with the requirements of the Data Protection Regulation for data controllers. (103) The systemic violation of the rights of the data subject is also confirmed by the fact that in the The customer was not able to provide basic information about the data management to the complainant in an understandable way either, not even by expressly requesting this to be complained about by the complainant on the Customer's website for a single general sentence which aroused his suspicion (see paragraph 3 (iii) (c) above). The client nor could he subsequently describe in a way that was comprehensible and specific to the complainant for what purposes, which data on which legal basis and how it handles in the context of sound analysis are only specific without making general findings and references in his response to data management compliance. Customer's defense that no such issue has arisen so far is not relevant on the one hand because there is no such aspect in the General Data Protection Regulation on the other hand, the main lack of information of the data subjects so far is the main reason lack of interest so far. Information under Article 13 of the General Data Protection Regulation obligation is not infinite, its express purpose is to protect the data controller, in this case the Customer. the vast majority of information available to data subjects regarding their data processing operations equalization. If it is a complex and new technology of data management, then this information dominance is also typically greater than data processing without such characteristics so the Customer should have paid even more attention to compensating for this. This however, despite its legal obligation, the Customer has not done so. This in turn supports that generally does not meet the Customer 's consciously designed system of built - in and the principle of default privacy. (104) Based on the above, by automatically analyzing the customer service voice recordings data processing practices in this form violate the general data protection regulation Article 12 (1), Article 24 (1) and Article 25 (1) and (2). III.8. Legal consequences (105) In accordance with Articles 58 (2) (i) and 83 (2) of the General Data Protection Regulation, the may impose a data protection fine in place of or in addition to other measures. That's not it it was doubtful that the general data protection regulation would violate the general data protection law Article 58 (2) (d) of Regulation (EC) No 1/2003 requires the controller to bring data management into line with the general data protection regulation. Due to the nature of data management the Authority set a deadline of 60 days instead of the usual 30 days. In addition, the Authority in accordance with the applicable case law, the general rule for imposing a fine in such a case is the aspects listed in Article 83 (2) of the Data Protection Regulation in the statement of reasons for the decision (106) As to whether a data protection fine is justified, the Authority Article 83 (2) of the Data Protection Regulation and Infotv.75 / A. § considered ex officio all the circumstances of the case and found that in the case of the infringements detected in the present proceedings a conviction under Article 58 (2) (b) of the General Data Protection Regulation does not is a proportionate and dissuasive sanction and a fine should therefore be imposed. Above all, in this round the Authority took into account that the Client's data management practices are essentially complete in its entirety disregarded the relevant legal obligations without being treated personally that it has made any real effort to ensure the lawfulness of the data processing outside the formal administration. In the present case, the protection of personal data - which a It is the task of the Authority - not in the light of all the fining circumstances detailed below available without imposing a data protection fine. Infotv. None of the circumstances under § 75 / A exists the Client does not qualify as a small or medium-sized enterprise. The imposition of fines is both special and it also serves general prevention, for which purpose the decision is also on the Authority's website will be published. (107) In setting the level of the data protection fine, the Authority took it as an attenuating circumstance taking into account: (i) no direct decision is made with the Software as a result of artificial intelligence which are corrected by human review (Article 83 of the General Data Protection Regulation) Paragraph 2 (a) (ii) the Authority has not yet identified a data breach against the Customer (general Article 83 (2) (e) of the Data Protection Regulation). (108) In setting the level of the data protection fine, the Authority considers aggravating circumstances has taken into account: (i) The nature of the breach is particularly serious, serious, the case is significant, general data protection The Customer has violated several provisions of this Regulation. The largely automated data management, the use of new technology, the societal issues it raises about the challenges of the digital age, and the inadequacy of the controller's responses to them in the present case beyond the individual assessment they also make it significant on a theoretical level. The conduct of the data protection authorities in the present case many data controllers may be decisive in the future for many similar data processing operations, which is an invaluable amount of personal data for many millions of data subjects in Hungary may affect your treatment. (Article 83 (2) (a) of the General Data Protection Regulation) (ii) A longer period of time before the General Data Protection Regulation became applicable from the date of application of the General Data Protection Regulation has existed continuously and continues to exist. (Article 83 (2) of the General Data Protection Regulation) paragraph (a) (iii) The extent and market position of the Client's data management and in the financial sector based on its activities, the expectation of the Client is higher than the average in the case of a data controller, the number of sound recordings affected by automated data processing is 1-1.5 per year million. (Article 83 (2) (a) of the General Data Protection Regulation) (iv) The data management activity was performed using new and risky technology. The bank sector is a particularly sensitive area, the responsibility of financial institutions to customers and usually of a similar magnitude but operating in a different field compared to data controllers. It is fundamentally the opposite of confidence in the financial sector inadequate use of technology that raises significant fundamental rights issues, and, in the absence of adequate guarantees, significantly infringes the rights of the data subject. (general Article 83 (2) (a) and (d) of the Data Protection Regulation) (v) Analysis of human emotions by artificial intelligence in both the Authority and7 the practice of the European Data Protection Board and the European Data Protection Supervisor in its view, it is very risky and should, as a general rule, be avoided outside certain areas. Significantly stronger guarantees and more meaningful consideration when using such technology necessary than what the Client has certified on the basis of the facts revealed. (general privacy policy) Article 83 (2) (a) and (d) of the Regulation) (vi) Only a “paperless” balance of interests contrary to the obvious facts is serious large-scale downgrading and disregard of risks is internal to the Client in its materials and regulations, in its balance of interests, the impact on the stakeholders is substantial complete lack of investigation in advance and during data processing, the right to information and Emptying the right to protest is supported by data protection rules to circumvent. There must have been at least a possible intention to infringe, accidentally a the above is not feasible. Based on its statements, the Customer may have known that due to the above data management may be problematic, but you have deliberately ignored these considerations in making its decisions on data management, based on a fictitious situation turning a blind eye to reality. (Article 83 (2) (b) of the General Data Protection Regulation) (vii) The Customer has not done anything about the right to information and the right to protest because, according to his statements, he considered it impracticable instead of would have modified the processing in accordance with the general data protection regulation able to fulfill its obligations. (Article 83 (2) (c) of the General Data Protection Regulation) (viii) Article 24 (1) of the General Data Protection Regulation takes a risk-based approach prescribes to the Customer, which it did not fulfill in the present case. No recording of voice recordings can be avoided by those concerned, in which case they may be used for any further purpose should be judged more strictly. Exclusion from the use of telephone customer service is the Customer the only alternative offered by the Commission, which is not a real choice for those concerned, moreover this is also questionable for the parties called by the Customer, nor in the absence of adequate information most of those involved in a decision-making situation under Article 25 of the General Data Protection Regulation can be traced back to a systemic problem that violated this principle. Artificial intelligence is not applied with due care without prior artificial intelligence poses orders of magnitude greater risk than automated data processing, which can only be assessed in the strictest way. (Article 83 of the General Data Protection Regulation Paragraph 2 (d) (ix) The regulation governing a specific new technology is still very rudimentary, so this should have been considered as an increased risk in the assessment, as well as the specific In the absence of strong specific guarantees arising from the unregulation of this area, the Customer would have been stronger than usual under the General Data Protection Regulation guarantees, but did not reach the average level of guarantees. (general Article 83 (2) (d) of the Data Protection Regulation) (x) The guarantee effect of the pseudonymisation used was negligible only because a in practice, all employees who access the Software and listen to the recordings times the caller is identified, as the recorded call is always with personal identification begins, and among other things, this obvious circumstance appeared untrue 17 See General Data Protection Regulation35. Article 4 (4) published impact assessment list21. point: https://www.naih.hu/hatasvizsgalati-lista, 35 during the balancing of interests, as a guarantee existing only on paper. (General Data Protection Regulation 83. Article 2 (2) (d) (xi) Data processing involved the recording and analysis of personal data such as the emotional state, the voice of the person concerned, the obscene vocabulary that touches more deeply on the privacy of data subjects as a technical or contact data, their treatment is a priority need. (Article 83 (2) (g) of the General Data Protection Regulation) (xii) The Authority only became aware of a complaint in the History Case The delayed processing of data by the customer in the present proceedings the acquisition was due to the Customer's omission detailed in paragraph 51 above. (Article 83 (2) (h) of the General Data Protection Regulation) (xiii) The Client's total annual net sales in 2020 were HUF 81,002,000,000, therefore a small no punitive or deterrent effect would be individual or detrimental in general terms. (Article 83 (2) (k) of the General Data Protection Regulation) (xiv) The Customer shall use the data processing specifically for indirect profit-making purposes, internally in order to reduce costs and make a profit by retaining customers, and unlawfully subordinated to this to all other statutory account aspect to be taken into account. (Article 83 (2) (k) of the General Data Protection Regulation) (109) In view of the above, the Authority considers that, in all the circumstances of the case, the operative part considered that the imposition of a data protection fine of EUR 1 000 000 was proportionate in all the circumstances of the case and deterrent. ARC. Other issues (110) Infotv. According to Section 38 (2), the task of the Authority is to protect personal data, and the right of access to data in the public interest and in the public interest monitoring and facilitating the enforcement of personal data within the European Union facilitating the free movement of Infotv. Pursuant to Section 38 (2a) of the General Data Protection Act Hungary shall exercise the responsibilities and powers laid down in this Decree for the supervisory authority in the General Data Protection Regulation and e exercised by the Authority as defined by law. Jurisdiction of the Authority Hungary covers the whole territory. (111) Art. Pursuant to Section 112 (1), Section 114 (1) and Section 116 (1) a There is an administrative remedy against the decision. * * * (112) The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court Section 13 (3) a) Pursuant to point (aa) of the Act, the Metropolitan Court has exclusive jurisdiction. A Kp. Section 27 (1) According to him, legal representation is mandatory in administrative proceedings before the tribunal. A Kp. Section 39 (6) the submission of the application for the entry into force of the administrative act has no suspensive effect. (113) A Kp. Section 29 (1) and with regard to this, Act CXXX of 2016 on Civil Procedure. applicable under section 604 of the Act, electronic administration and trust services CCXXII of 2015 on the general rules of pursuant to Section 9 (1) (b) of the Act his legal representative is obliged to communicate electronically. The time at which the application was lodged and, location of the Kp. Section 39 (1). The possibility of a request for a hearing information on the Kp. It is based on § 77 (1) - (2). (114) The amount of the fee for an administrative action is set out in Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is Itv. Section 59 (1) and Section 62 (1) (h) shall release the party instituting the proceedings. (115) If the Client does not adequately demonstrate compliance with the required obligations, the Authority will: considers that it has not fulfilled its obligations within the time allowed. The Ákr. According to § 132, if it is Customer has not complied with the obligation contained in the final decision of the Authority, it is enforceable. THE Authority's decision on the Ákr. Pursuant to Section 82 (1), it becomes final with the communication. The Ákr. 133. §, unless otherwise provided by law or government decree - a ordered by the decision-making authority. The Ákr. Pursuant to § 134, enforcement - if law, a government decree or, in the case of a municipal authority, a local government decree, otherwise by the state tax authority. Infotv. Pursuant to Section 61 (7), the Authority to perform a specific act, to behave in a specific manner, the Authority shall enforce the decision in respect of the obligation to tolerate or discontinue implements. Budapest, February 8, 2022 Dr. Attila Péterfalvi President c. university professor